After hackers gain access to a healthcare provider or insurer’s database, HIPAA breach class action lawsuits are certain to follow. The dust has not even settled after the announcement that Premera Blue Cross suffered a breach in which the healthcare records of approximately 11 million individuals were obtained by thieves, and already 5 class-action lawsuits have been filed against the insurer.
This is nothing new, and after a HIPAA data breach of this magnitude it is perhaps not surprising that cases have been prepared against the organization concerned. However, in the past most lawsuits have failed but the lawsuits filed against Premera are drawing on a November Connecticut Supreme Court precedent that was set when a case was agreed to be heard against a healthcare provider on the grounds of negligence.
Class Action Claims for Data Breaches
In order for damages to be awarded in class action claims for data breaches, plaintiffs would previously have had to prove that they actually suffered harm or damage after their healthcare records were exposed. Unless the victim has suffered identity or medical fraud, this is difficult to do. A data breach victim may have to live with being at a higher risk of suffering fraud, but with credit monitoring services paid for by the healthcare organization, it is unlikely that this a lawsuit would result in a settlement being reached.
HIPAA Breach Class Action Lawsuits Being Filed for Negligence
The HIPAA breach class action lawsuits against Premera BlueCross criticized the speed at which the insurer responded to the breach. Notification letters were sent 6 weeks after the discovery of the improper accessing of records. The flow of information to the victims has also been slow and this too has been pointed out, but the cases are being filed for negligence for failing to protect sensitive data from hackers and for breach of contract; for not implementing the security measures that members had paid for through their insurance premiums.
Although the level of damages being claimed by each individual is not reported, cases typically claim damages of around $1,000 per individual. This potentially puts the value of the cases at $11,000,000,000.
The Penalties for HIPAA Non-Compliance are High
Healthcare organizations should bear in mind that they may not just face penalties for HIPAA breaches from the Office for Civil Rights. Penalties for HIPAA breaches are being issued by state Attorney Generals and class action lawsuits may prove to be successful on the grounds of negligence or breach of contract.
To best way to avoid a HIPAA breach penalty and legal action is to conduct a thorough risk analysis and security audit, develop a plan to deal with the security vulnerabilities that are uncovered and make sure these are addressed in a timely fashion. It is also essential to train the staff on the rules and regulations covering the use and disclosure of PHI.